github aquasecurity/trivy v0.14.0
on GitHub

latest releases: v0.51.1, v0.51.0, v0.50.4...
3 years ago

Features

Add primary URLs (#752)

Trivy shows a primary URL in the result as follows. 

alpine:3.10 (alpine 3.10.5)
===========================
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |                URL                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| musl       | CVE-2020-28928   | UNKNOWN  | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,    | avd.aquasec.com/nvd/cve-2020-28928 |
|            |                  |          |                   |               | wcsnrtombs mishandles          |                                    |
|            |                  |          |                   |               | particular combinations of     |                                    |
|            |                  |          |                   |               | destination buffer...          |                                    |
+------------+                  +          +                   +               +                                +                                    +
| musl-utils |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
|            |                  |          |                   |               |                                |                                    |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+

[
  {
    "Target": "alpine:3.10 (alpine 3.10.5)",
    "Type": "alpine",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2020-28928",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928",
        ...
      }
    ]
  }
]

In these cases, you can see https://avd.aquasec.com/nvd/cve-2020-28928 as a primary URL.

Remove rpm dependency (#753)

Trivy no longer requires the rpm command on the host. You can scan a RHEL-based image without rpm. 

$ rpm
bash: rpm: command not found
$ trivy image -o /dev/null centos:7

centos:7 (centos 7.9.2009)
==========================
Total: 601 (UNKNOWN: 0, LOW: 358, MEDIUM: 240, HIGH: 3, CRITICAL: 0)

Bug fixes

--light shows less results (#755)

There was a bug where vulnerabilities with unknown severity do not appear in the result when using the --light option.

Changelog

9bdbeab feat: remove rpm dependency (#753)
d85cb77 fix(vulnerability): make an empty severity UNKNOWN (#759)
1bee83c chore(README): add TRIVY_INSECURE (#760)
4d18943 feat(vulnerability): add primary URLs (#752)

Docker images

  • docker pull docker.io/aquasec/trivy:0.14.0
  • docker pull docker.io/aquasec/trivy:latest
  • docker pull ghcr.io/aquasecurity/trivy:0.14.0
  • docker pull ghcr.io/aquasecurity/trivy:latest
Check out latest releases or
releases around aquasecurity/trivy v0.14.0

Don't miss a new trivy release

NewReleases is sending notifications on new releases.

Get notifications